 Yeah, so thank you all for coming and today I'll be talking about Laconic zero knowledge to public key cryptography This is joint work with E. Thy Berman Ron Rothman and Prashant Nalini was a devil. Okay, so let's get started Good so public encryption. We all love no and love public encryption So it allows two people who have never met each other to communicate securely In this case Alice holds a secret key. There's a public key which is up in the sky It allows Bob to send a message encrypted to Alice such that any eavesdropper Eve who looks at this Conversation cannot understand what the message is Right, so public key encryption has been around for a while. It's extremely useful at the same time. It's quite rare So we know public key encryption constructions from a handful of candidates largely based on number theory and on lattices so it's a very Like it's a very important open question that we want to construct public key encryption from different kinds of assumptions and Different in the sense that they look Qualitatively different from the kind of assumptions we know today. Okay, so in this talk our goal is a bit different So we want to understand What kind of structure or what kind of complexity theoretic structure implies public key encryption? So we the goal is twofold. So first of all, we want to understand Why is it that public key encryption is so like that so few assumptions actually give us public key encryption? And the hope is that this kind of understanding will enable us to find other assumptions Which give us public encryption. Okay, so what kind of answers are we happy with? So the best possible answer would be to say that NP hardness implies public key encryption So if P is not equal to NP then we have public key encryption So unfortunately, this seems a bit too much to hope for today We don't we actually don't know any cryptography based on this worst case assumption Also, there are some barriers known to achieving to constructing cryptography from these From NP hardness alone The next best thing we could hope for is to say that if one of the functions exists then public key encryption also exists and Again, it seems like a fairly difficult problem. So let's look at something which seems more reasonable Which is to think of this class of a statistical zero knowledge problems. So I'll come to what it is in a minute So there are a few things we go this class has going for it First of all, we don't know any impossibility results for this class Secondly, we know that it actually implies one-way function So any language which is in this class and his average case hard actually implies one-way functions So that's good. And we also know that the many problems which imply public key encryption line this class. So It looks like a promising place to look Let me remind you what the definition of this class So it was defined by Shafi Silvio and Charlie Rakoff. It's an interactive so there is a prover who is trying to prove that a certain instance is in the language and it has the standard properties, which is that if the instance is actually in the language then the prover succeeds in convincing the verifier that X is in the language if X is not in the language then Cheating prover Cannot convince a verifier that X is in the language. So the verifier would with high probability reject this transcript and Here this comes soundness comes in two flavors So we say that it's a proof if the prover is allowed to be computationally unbounded While we would say that it's an argument if the prover is only allowed to be efficient So which means that the prover can in particular not be a crypto and zero knowledge. So usually We consider a notion of zero knowledge, which is secure against Malicious verifiers, but in this talk, we would only need honest verifier notion. So let me define that for you So this is defined by the famous simulation paradigm We say that a prover We say that the verifier learns nothing if the verifier could have simulated this transcript completely by him himself herself Informally that there is a simulator such that this simulator outputs transcripts Which has statistically close to transcripts of the real distribution So here we actually want statistically close not computational indistinguishable that these transcripts Have a distribution which is very similar to the actual one So just a reminder how big is this class right? So it's a relatively small class when compared to NP if it's bigger than P But relatively small class Interestingly it can has many of the problems which give public encryption for example LWE quadratical Citiocity and so on right so can we construct public encryption from statistical zero knowledge and It seems challenging One key reason behind this is that SAK the class also has problems like discrete log which have been around for a really long time And we still don't know public encryption based on these problems Okay, so can we impose more structure to actually get something and To that end let's look at an example So let's consider quadratic non-versed curiosity And let me remind you what the problem is so in this problem The instance consists of a number n which is a product of two primes and the number y Which we have to answer is it a square or not module n okay, and This has a very nice is your knowledge proof What the verifier does is the following that the verifier picks a square Multiplies it by y or not and sends this across as the challenge and What the prover has to answer is that is see a square or not so if It was multi if the verifier actually multiplied y to the square Then this would not be a square on the other end if the verifier did not then this should be So the prover replies back an answer which says is this a square or not and this can be done efficiently Okay, so what are the properties of so this proof This proof system by the way is a very similar to the Goldwasser Mikali encryption scheme So what are the properties this scheme has? So first of all, it's a honest verify a statistical zero-knowledge proof The verify actually learns nothing here because all the verify does is the verify sends across a Number knowing whether it's a square or not and gets back an answer which says the same thing Secondly, we know that we can sample hard instances here So you take two primes multiply them together and you get these instances We know that the prover is efficient So the prover when given the factorization of the integer n can actually answer these queries efficiently and Finally, we know that the prover talks really little like the prover is only communicating one bit which says is it a square or not? Okay, so in this paper what we show is that these four properties are sufficient that is if you have a SDK proof system, which is an honest verify SDK proof or argument It's such that first of all the prover is efficient and secondly the prover talks little Along with a hard language Where you can sample? Okay Okay, so along with a hard language such that It has two distributions a yes distribution and a no distribution with samples instances in the language and not in the language For the instances which are in the language you sample them with a corresponding witness So we show that if you have a language with both of these properties, then you can actually construct public key encryption from this So a few points to note so first of all honest verify is actually a weakening of the notion of zero knowledge So it actually makes a result stronger that you have to construct a weaker proof system than a full-fledged SDK argument Secondly argument is also weaker than a proof in the sense that you only have to achieve soundness against efficient provers and One point to note is that cryptographically higher language like this notion of hardness is different from the usual Notion of average case harness in the usual notion of average case harness What we want is that there is one distribution with samples hide instances you cannot tell if they're in the language or not So here we are asking that these to be separated like sample separately and in particular this notion does imply one-year function So it should be hard to come up with the witness given the instance and so this implies Okay, so what we show is that these properties are sufficient to Actually construct public encryption Now what you should ask yourself is How reasonable is this so there are two notions of what we could Mean by reasonable. So first of all what kind of assumptions are actually captured by this characterization and Secondly, can you relax? these conditions primarily the conditions of efficient prover and The Lapani proof system, so I'll come to both of these now Okay, so first of all in terms of instantiation, so here's an exhaustive list of assumptions, which are known to imply public encryption and So this assumption captures basically all the decision variants decision assumptions here It does not capture factoring and CDH Well, it does capture say QR and LWE and the assumptions which are given by Apple, Bombardak and Wigdason and And Yeah, so captures most of them. We don't actually know zero SDK proofs for a factoring and so Okay, so how about relaxing the assumptions right like so there are two key limitations here the first one is that the prover has to be efficient and The second one is that the proof this proof system the prover has to talk little so here We are saying that the prover can only talk a sub logarithmic number of bits. So how reasonable are these assumptions, right? So first of all, okay, if we relax the efficient prover assumption We know by this beautiful work of Sahay and Vadhan that it would imply that a ZK hardness implies public encryption so this happens because We know that all of statistical zero knowledge has a Lapani zero knowledge proofs like proofs where the prover communicates only one bit and How about Relaxing the Lakanik condition right so first of all if we can completely relax the Lakanik condition and have no restrictions placed whatsoever then this actually implies one way function a public encryption from one way functions and this is because all of NP has these statistical zero knowledge arguments and Which are efficient prover? Even relaxing it to polylog for a fixed polylog would be Fantastic, so it would it would imply that exponentially hard one-way functions do imply public encryption So today what we know is that exponentially hard one-way functions imply Merkel puzzle style Constructions which have a security of about n squared So this would imply full-fledged public encryption, which is very far from what is known today Okay, so what we saw is that? These two conditions together imply public encryption It turns out that public encryption itself implies a weaker form of these this crypto system so any public encryption scheme implies not a language, but rather a pair of distributions such that There is a yes distribution and a no distribution the yes distribution has sad comes with Witness and also a zero-knowledge proof system So this proof system is not so it's weak because both completeness and soundness here hold on average So they don't hold for every possible instance But they hold on average for an instant sampled according to either the yes distribution or the no distribution okay, and You can go back So once you have this assumption you can actually this assumption itself implies public encryption so this gives you a characterization of public encryption in terms of a Zero-knowledge proof system to some a still now what we have seen is that a laconic efficient proof on a surface a key arguments Give along with the ability to sample hard instances gives us public Okay, so in the remaining time I have let me talk about the kind of techniques which going to this Good so as a warm-up let's start with two message deterministic a proof system So what this means is that there's a prover and the verify the prover the verify is first going to send a challenge And then the prover is going to send back a response at this point the verify would decide whether to accept This response doesn't have to be a bit like a bee seems to be confusing but it can be longer So how and Since it's a zero-knowledge proof we have a simulator the simulator is going to output simulated transfer which I denoted by the dash So as a simplifying assumption, let's assume that we have perfect completeness and perfect zero-knowledge both of these can be Relaxed okay, so just to point out that this kind of a proof system is also known as a hash proof system So how do we construct public encryption from this? So let's start by constructing a weak key agreement protocol and this can be amplified to So what Alice does is that Alice first samples a yes instance along with her witness and She sends across the instance to Bob Both of I both Alice and Bob want to agree on something and At this point what can the Bob do so Bob only has the instance Bob does not have a witness So Bob can essentially run the simulator and that's what Bob does so Bob runs the simulator and Bob generates a transfer and from this transcript Sends back the verifiers challenge back twice and outputs the proof-wise response as The key Bob has agreed Now Alice has something which Bob did not which is the witness of this Instance and so Alice uses that to run the proof and at this point Alice outputs the response given by the So based from these two what you want to show is that a first of all Alice and Bob actually agree and Second of all we would like to show that this is actually secure Good so in terms of correctness the first thing to observe is that because the prover is deterministic the Verifiers challenge actually fixes the response the prover is going to give So every very fast challenge has a unique response which would be given by the prover Secondly, we know that because the zero knowledge is perfect the simulator would also be sampling from the same Distribution as the original and the link distribution So this tells us that the simulated output B prime would be the same as the original output B Okay, how about security? right, so we want to show that The adversary cannot predict this message B prime with Probability more than say the soundness earth and so in this case we would show this by contradiction We will show that if this adversary could break Could actually predict it with high probability. We can use it to break average case hard We would do this by roughly treating the adversity as a cheating So here's the distinguisher we would consider so we have the very fire the very fire and The adversary taking the role of the prover and now the verify on input X runs the Runs the distinguisher runs the very fire gets the first message Feeds it to the adversary sees the response and sees if this would be accepted or not and So if X is actually in the language then by an assumption that this adversary is violating security This should be accepted because the original prover's response was going to be accepted and So then the distinguisher would output. Yes with probability more than the soundness earth On the other hand for an instance, which is not in the language By the property by soundness, you know that it's going to be accepted by a probability Which is less than this value and this gives us a contradiction So this is a weak public weak key agreement protocol and this can be amplified to full-fledged PKE using This work of four inch time and then Okay, so now we have made that this was a warm up So we have made a couple of simplifying assumptions here, which we would like to remove and The assumptions where the following dates first of all we assumed that the prover was deterministic. We would like to handle randomized Second of all this was a two message encryption to message system we would like to handle many rounds and This introduces an additional challenge that in this case the prover had no state All I needed to run this prover was take the next message Then the prover you get something on the other hand now to run a prover which acts for many rounds This prover can keep state and somehow we need a way to handle this issue There are some other challenges like relaxing these conditions with those we'll ignore for now So now let's see how do we deal with randomized provers? So this is the scheme we had a deal right like Alice sent across the instance got back a very Very fast challenge as the next message and both of them output The prover is response as generated in two different ways. So what happens to this? So first of all the security still is fine like nothing in the proof was affected here But on the other hand correctness here Doesn't actually go through the reason is the prover is now randomized So there are multiple responses this prover could have given and now the probability that both of these responses would be the same Is actually low Good, so the way we handle these issues now. I realize I won't have a lot of time to talk about it The way we handle these issues is we come up with an abstraction, which is a weaker notion of So here we would relax the public key encryption notion in two significant ways first of all a sci-fi text in this notion is not bound to a fixed bit But rather bound to a distribution of messages and secondly the adversary here The mess the underlying message is not completely hidden from the adversary, but rather only weekly. So, okay, so I'll actually skip Yeah, I'll actually skip this good. So Right, so the two the main differences here are that the Public sci-fi text does not actually fix the message and secondly for an adversary the adversary has only a weak notion of unpredictability That so we formalize this using So now there are two steps, which we have to talk about which is how do you go from this assumption to from SDK hardness to trapdoor pseudo-entropy generators and secondly from table pseudo-entropy generators to public encryption and Actually since I'm running out of time I'll not talk a lot about it. So first of all here you This part basically abstract us out the SDK proof system and you I left with This notion so there are two challenges you have to handle the first challenges that you have many many rounds and in this case the way it's handled is how Ostoff's V constructs a one-way function, which is you terminate then the similar term you terminate at a random round and The stateful prover we cannot handle completely generically this does require that the proof system is laconic in which case we do some notion of rejection sampling and The second half is an amplification theorem So you have this weak notion of public encryption and from here we want to go to the full-fresh public encryption scheme This is actually the technically more difficult half now you what you have to do is you have to exploit these connections which are known between pseudo randomness and unpredictability and primarily the constructions of pseudo random generators from one way functions and So, okay, let me actually conclude so here we have What we showed is that laconic efficient to work on a sphere for SDK arguments imply public encryption and A big open question is they can we use this to design new public encryption? Okay, with that I'll take questions